Yash.

Nmap Commands Cheat Sheet. Quick reference for common commands. Perfect reference guide.

Scanning Options are as follows:

Option	What It Does	Example Command
`10.10.10.0/24`	Specifies the target network range.	`nmap 10.10.10.0/24`
`-sn`	Skips port scanning.	`nmap -sn 10.10.10.0/24`
`-Pn`	Disables ICMP Echo Requests (no ping).	`nmap -Pn 10.10.10.0/24`
`-n`	Avoids DNS resolution.	`nmap -n 10.10.10.0/24`
`-PE`	Ping scan using ICMP Echo Requests.	`nmap -PE 10.10.10.0/24`
`--packet-trace`	Shows detailed packet sending/receiving logs.	`nmap --packet-trace 10.10.10.0/24`
`--reason`	Displays the reason for a result.	`nmap --reason 10.10.10.0/24`
`--disable-arp-ping`	Disables ARP Ping.	`nmap --disable-arp-ping 10.10.10.0/24`
`--top-ports=<num>`	Scans the most common ports.	`nmap --top-ports=100 10.10.10.0/24`
`-p-`	Scans all ports.	`nmap -p- 10.10.10.0/24`
`-p22-110`	Scans ports between 22 and 110.	`nmap -p22-110 10.10.10.0/24`
`-p22,25`	Scans only ports 22 and 25.	`nmap -p22,25 10.10.10.0/24`
`-F`	Scans top 100 most common ports.	`nmap -F 10.10.10.0/24`
`-sS`	Performs a TCP SYN scan.	`nmap -sS 10.10.10.0/24`
`-sA`	Conducts a TCP ACK scan.	`nmap -sA 10.10.10.0/24`
`-sU`	Runs a UDP scan.	`nmap -sU 10.10.10.0/24`
`-sV`	Scans service versions.	`nmap -sV 10.10.10.0/24`
`-sC`	Uses default scripts for scanning.	`nmap -sC 10.10.10.0/24`
`--script <script>`	Runs specified scripts during the scan.	`nmap --script http-title 10.10.10.0/24`
`-O`	Identifies the target’s operating system.	`nmap -O 10.10.10.0/24`
`-A`	OS, service, and traceroute detection.	`nmap -A 10.10.10.0/24`
`-D RND:5`	Uses 5 random decoys for the scan.	`nmap -D RND:5 10.10.10.0/24`
`-e`	Specifies the network interface for scanning.	`nmap -e eth0 10.10.10.0/24`
`-S 10.10.10.200`	Sets the source IP address.	`nmap -S 10.10.10.200 10.10.10.0/24`
`-g`	Specifies the source port.	`nmap -g 80 10.10.10.0/24`
`--dns-server <ns>`	Uses a custom DNS server for resolution.	`nmap --dns-server 8.8.8.8 10.10.10.0/24`

Output Options


Option	What It Does	Example Command
`-oA filename`	Saves results in all formats under the given filename.	`nmap -oA scan_results 10.10.10.0/24`
`-oN filename`	Saves results in a normal text format.	`nmap -oN scan.txt 10.10.10.0/24`
`-oG filename`	Saves results in a grepable format.	`nmap -oG scan.grep 10.10.10.0/24`
`-oX filename`	Saves results in XML format.	`nmap -oX scan.xml 10.10.10.0/24`

Performance Options


Option	What It Does	Example Command
`--max-retries <num>`	Sets the number of retries for failed scans.	`nmap --max-retries 3 10.10.10.0/24`
`--stats-every=5s`	Displays scan progress every 5 seconds.	`nmap --stats-every=5s 10.10.10.0/24`
`-v/-vv`	Increases verbosity during the scan.	`nmap -vv 10.10.10.0/24`
`--initial-rtt-timeout 50ms`	Sets the initial round-trip timeout value.	`nmap --initial-rtt-timeout 50ms 10.10.10.0/24`
`--max-rtt-timeout 100ms`	Sets the maximum round-trip timeout value.	`nmap --max-rtt-timeout 100ms 10.10.10.0/24`
`--min-rate 300`	Sets the rate of packets sent per second.	`nmap --min-rate 300 10.10.10.0/24`
`-T <0-5>`	Chooses the scan timing template (0 = slowest, 5 = fastest).	`nmap -T4 10.10.10.0/24`

Script Categories


Category	What It Does	Example Command
`auth`	Tests for authentication weaknesses.	`nmap --script auth 10.10.10.0/24`
`broadcast`	Discovers hosts via broadcasting.	`nmap --script broadcast 10.10.10.0/24`
`brute`	Brute-forces logins with common credentials.	`nmap --script brute 10.10.10.0/24`
`default`	Runs default scripts with the `-sC` option.	`nmap -sC 10.10.10.0/24`
`discovery`	Identifies available services.	`nmap --script discovery 10.10.10.0/24`
`dos`	Tests for Denial of Service vulnerabilities (risky).	`nmap --script dos 10.10.10.0/24`
`exploit`	Attempts to exploit known vulnerabilities.	`nmap --script exploit 10.10.10.0/24`
`external`	Uses external services for data processing.	`nmap --script external 10.10.10.0/24`
`fuzzer`	Identifies vulnerabilities by sending malformed packets.	`nmap --script fuzzer 10.10.10.0/24`
`intrusive`	Performs potentially damaging tests.	`nmap --script intrusive 10.10.10.0/24`
`malware`	Scans for signs of malware infections.	`nmap --script malware 10.10.10.0/24`
`safe`	Safe, non-intrusive defensive scans.	`nmap --script safe 10.10.10.0/24`
`version`	Detects service versions.	`nmap --script version 10.10.10.0/24`
`vuln`	Scans for specific vulnerabilities.	`nmap --script vuln 10.10.10.0/24`

Nmap cheat sheet